1. Field of the Invention
The present invention relates to a method and apparatus capable of reading, storing and writing encrypted and non-encrypted data and for selectively denying the ability to access data secured through encryption.
2. Background Description
The present invention generally relates to the use of computers which are mobile and which may become involved in a scenario in which an adversary will seek to take possession of the computer and read the secured data. The data is normally made secure due to its being classified in accordance with security regulations. An example of when the present invention may be used is in the field of military helicopters. A specific example is the LAMPS Block 11 helicopter. In this example, the helicopter includes two removable, rugged commercial mass memory devices. These devices communicate, via a small computer system interface (SCSI) bus, with a mission computer (MC) and a flight management computer (FMC). One mass memory device is an extended mass storage unit (EMSU) disk drive, and the other is a dual PCMCIA (Personal Computer Memory Card International Association) card reader data transfer system (DTS) which uses flash memory cards. The EMSU and each of the flash memory cards appear to the computers as disks. Different sets of data on the disks may be classified or unclassified. The other flash memory card generally contains only unclassified data. In the event of a helicopter finding itself in jeopardy, it is desirable to render the classified data unreadable, whether by removal, erasure or otherwise. For national security purposes, the U.S. government desires at least one new helicopter designed with the ability to render the classified data unreadable within ten minutes.
Currently, classified matter is erased from EMSU devices in accordance with United States Navy Remanence Security Guidebook, NAVSO-5329-26, September 1993, Navy Stock number 0515-LP-208-8345. “Remanence” refers to residual information remaining on data storage media after insufficient purging procedures. Chapter 3 of this Guidebook defines acceptable methods for overwriting magnetic media and for purging magnetic storage media for degaussing. While such methods will indeed render the disk memory unusable, due to the size of the EMSU, these methods cannot be performed in ten minutes. There is also no presently approved method for overwriting data on DTS flash memory cards.
The erasure methods also do not distinguish between classified and unclassified data. Previous military solutions have been hardware based solutions in which all of the data written to a disk had to be encrypted because hardware encryptors don't distinguish between classified and unclassified files. Previous commercial encryption efforts have used both hardware and software based approaches, again using bulk encryptions. Software encryption solutions are typically not intended for real time applications.
Classified government data is not the only type of data that one might wish to safeguard. There are systems in the prior art designed to prevent an unauthorized person from accessing data on a portable, or laptop, computer.
For instance, in U.S. Pat. Ser. No. 5,677,952 to Blakely, III et al., there is taught a method, using a secret key, to protect information in a storage disk of a computer using encryption/decryption, where the secret key is derived from a password entered into the computer by an authorized user. The Blakely III et al. method teaches that the secret key is erased from volatile memory when the computer is powered off, logs off, or is inactive for a specified amount of time.
Although the key is erased from volatile memory at power off, at least one user has knowledge of the password and can independently re-enable the key on power up, allowing the information to be decrypted. Thus, the key could be coerced from the user by traditional, albeit potentially ruthless methods. Also, Blakely III, et al. teach that a user must be entrusted with the password because the key is removed from volatile memory after the system has been inactive for a period of time, even when there is no threat of data loss.
U.S. Pat. Ser. No. 5,870,468 to Harrison teaches a method and an apparatus for protecting selected files in a portable computer system. With this invention a user selects a set of files on a hard disk of the system for protection. This invention uses an encryption key, a secret key and an algorithmic transform to protect the selected files. With this invention the selected files are encrypted with the encryption key, and two copies of the encryption key are scrambled, one with the secret key and one with the transform of the secret key. Then, both scrambled versions of the encryption key are stored on the hard disk. When the user enters the secret key, the two scrambled versions of the encryption key are unscrambled using the key entered by the user and by using the transform of the key entered by the user. These unscrambled versions are then compared. If these unscrambled versions match, the original encryption key has been correctly restored and selected files will be decrypted either immediately or when referenced by an application program. This invention also calls for re-encrypting the selected files upon expiration of a timer indicating that the computer is idle or upon the repeated failure of a user to enter the secret key when requested.
In short, Harrison teaches having the user enter a password to generate the encryption key. When the password is successfully entered and the key recovered, the files on the disk will be decrypted and when an inactivity timeout is reached that these files will be re-encrypted and stored on the disk. Thus, according to Harrison's invention, at any given point in time unencrypted files might be resident on a non-volatile disk.
U.S. Pat. Ser. No. 4,817,140 to Chandra et al. teach placing encrypted and (optionally) unencrypted files on the same media. They also teach placing the encryption key on the media with the data and removing that key. The encryption key is itself encrypted and there is a token cartridge that relies on a destructive read to remove the key whenever the key is read from the cartridge. In the Chandra et al. invention, access to the encryption key is controlled by a physically secure token being presented to a coprocessor, therefore requiring additional hardware component complexity in the system.